The Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general continued to aggressively pursue financial settlements for HIPAA Rules violations in 2017. For the 9 HIPAA settlements and one civil monetary penalty, OCR received the total amount of $19,393,000 from covered entities and business associates. Last 2016, the collected amount from HIPAA-covered entities and business associates as payment for 12 settlements amounted to $25,505,300. The HIPAA-covered entities and their business associates that have paid OCR financial penalties are listed in the table below.
| Covered Entity | Amount | Type | Violation Type |
| Memorial Healthcare System | $5,500,000 | Settlement | Insufficient ePHI Access Controls |
| Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty | Impermissible Disclosure of ePHI |
| Cardionet | $2,500,000 | Settlement | Impermissible Disclosure of PHI |
| Memorial Hermann Health System | $2,400,000 | Settlement | Careless Handling of PHI |
| 21st Century Oncology | $2,300,000 | Settlement | Multiple HIPAA Violations |
| MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement | Impermissible Disclosure of ePHI |
| Presense Health | $475,000 | Settlement | Delayed Breach Notifications |
| Metro Community Provider Network | $400,000 | Settlement | Lack of Security Management Process |
| St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement | Unauthorized Disclosure of PHI |
| The Center for Children’s Digestive Health | $31,000 | Settlement | Lack of a Business Associate Agreement |
The OCR’s HIPAA enforcement activities for 2017 indicate that many covered entities still fail in complying with the HIPAA Rules to: keep PHI secure on portable devices, conduct an organization-wide risk assessment, implement a security risk management process and sign HIPAA-compliant business associate agreements with all vendors. From 2016 to 2017, many covered entities still fail to send breach notifications promptly. For the first time in 2017, OCR demanded a settlement for this common HIPAA violation, which is delaying breach notifications.
OCR started the second phase of its HIPAA-compliance desk audit program in late 2016. The results of the compliance audits are yet to be released. But OCR already announced the preliminary findings. The completeness of compliance by covered entities was rated from 1 to 5. A rating of 1 means the covered entity complied fully with all HIPAA Rules. A rating of 5 means the covered entity did not make any effort to comply with HIPAA Rules. The preliminary findings of the HIPAA compliance audits are listed in the table below. The compliance audits will continue until 2018. Entities that have not attempted to comply with HIPAA rules at all will face financial penalties.
| HIPAA Rule Compliance | Controls Audited | Covered Entities Given Rating of 5 | Covered Entities Given Rating of 1 |
| Breach Notification Rule (103 audits) | Timeliness of Breach Notifications | 15 | 67 |
| Breach Notification Rule (103 audits) | Content of Breach Notifications | 9 | 14 |
| Privacy Rule (103 audits) | Right to Access PHI | 11 | 1 |
| Privacy Rule (103 audits) | Notice of Privacy Practices | 16 | 2 |
| Privacy Rule (103 audits) | Electronic Notice | 15 | 59 |
| Security Rule (63 audits) | Risk Analysis | 13 | 0 |
| Security Rule (63 audits) | Risk Management | 17 | 1 |
State attorneys general assist the OCR enforce HIPAA Rules. They can impose fines when HIPAA laws are violated through the HITECH Act but most choose to pursue violations under state laws for privacy breaches. See the settlements made by HIPAA covered entities in 2017
| Covered Entity | State | Amount | Individuals affected | Reason |
| Cottage Health System | California | $2,000,000 | More than 54,000 | Failure to Safeguard Personal Information |
| Horizon Healthcare Services Inc., | New Jersey | $1,100,000 | 3.7 million | Failure to Safeguard Personal Information |
| SAManage USA, Inc. | Vermont | $264,000 | 660 | Exposure of PHI on Internet |
| CoPilot Provider Support Services, Inc. | New York | $130,000 | 221,178 | Late Breach Notifications |
| Multi-State Billing Services | Massachusetts | $100,000 | 2,600 | Failure to Safeguard Personal Information |